Set up MFAget help

The following are the two options available to set up your MFA. Please select the device according to the comparison table below: 

Mobile Device

⭐ Recommended for most MFA users

This option is recommended for most MFA users as it offers the best user experience.

⭐ It's more convenient

  • Estimated 5-minute setup experience to complete the enrollment.
  • Can be set up at any time with the self-service instructions.
  • No additional devices to carry with you; most individuals already keep their mobile devices close by.
  • LastPass Authenticator mobile app benefits:
    • Lightweight; takes very little space on a phone (i.e., approximately equivalent to the size of a photo)
    • No personal info collected/tracked
    • No internet connection/data plan needed to function
    • Free of charge to use
    • Well-known and reputable vendor
  • Other mobile app options available; many free apps are available on the app store that supports SFU's MFA.

⭐ MFA code can only be accessed by authorized individual of the mobile device

If lost or stolen, your mobile device may have biometric or other protections (e.g., your phone's passcode lock) that further protect your MFA codes from unauthorized access.

Hardware Token

Only available to faculty/staff

This option is only for faculty/staff who are unable to use a mobile device.

Note. Hardware tokens should not be used for backup purposes. There are dedicated emergency login codes that serves as backup if your mobile device is left at home, is lost, or runs out of battery.

It's less convenient

  • Estimated 1- to 2-week lead time needed from the time of request and delivery of the token to your location
  • Requests are waitlisted due to COVID-19 responses; there may be unavoidable delays with token provisioning
  • Is an additional device to carry with you; can be easily misplaced due to small size
  • Non-serviceable, non-rechargeable battery with limited life span
  • No display backlighting; may be more difficult for some individuals to see codes
  • More prone to "invalid code" errors that cannot be corrected; hardware tokens run on their own built-in timing devices to generate codes that may fall out of synchronization with SFU's MFA servers. If this occurs, the only solution at this time is to request a new hardware token and undergo the setup process again.

MFA code is displayed on the token and no authorization is needed to access the codes

If lost or stolen, a hardware token has no further protections in place to prevent unauthorized access to your MFA codes. You would need to immediately report a lost/stolen hardware token to the IT Service Desk to request its deactivation. 

Note. All hardware token requests need to be submitted to the IT Service Desk by May 1, 2021. For more details on what to include in your request, please see step 1 of the hardware token setup guide.

Equipment needed for the set up

For the best experience, you will need the following equipment for your MFA set up:

  1. The device you planned to use for MFA (i.e., your mobile device or hardware token), and
  2. laptop/desktop to assist with the enrollment.

Featured Frequently Asked Questions (FAQs)

The following is a list of featured frequently asked questions relating to the setup of MFA. For the full list of FAQs, please visit our Frequently Asked Questions page for more information.

General

How do I start using my MFA login? How do I retireve my MFA login codes?

To log in with MFA, you’ll enter your username and password as you currently do, and then type in the 6-digit MFA code (changes every 30 seconds) that you see on your MFA device (e.g., mobile device/hardware token).

There is also the option of “remembering” your MFA sign-in for 7 days.

Note. Remember to keep your mobile device nearby to sign in using the 6-digit MFA codes. You should only use your 8-digit emergency login codes as the last resort.

I don’t have, or I am unable to use a mobile device for MFA. What can I use instead?

If you don’t have a mobile device or are unable to use one for MFA, using a hardware token would be an alternative. A hardware token is a small device that displays the 6-digit code for logging into MFA.

  • Note. Hardware tokens should not be used for backup purposes. There are dedicated emergency login codes that serves as a backup if your mobile device is left at home, lost, or runs out of battery.

SFU faculty and staff that need a hardware token can submit a request to the IT Service Desk (its-help@sfu.ca) by May 1, 2021. After May 1st, we cannot guarantee that the hardware token will arrive via mail in time.

Please include the following information when submitting your hardware token request to the IT Service Desk:

  1. Subject line: "MFA Hardware Token Request - Faculty/Staff"
  2. Message body:
    • brief explanation on why you'd like to request a hardware token (e.g., don’t have access to a mobile device, requesting a replacement, etc.).
    • Your contact information (SFU computing ID, full name, phone number, and department).
    • Your mailing address to send the hardware token.
      • *Note. Due to the current COVID-19 measures, token requests are being processed remotely and mailed out to the requestors. Delivery to campus addresses may actually be slower than to residential addresses.

Can I enroll both a hardware token and mobile device?

No; Currently, our system does not support multiple MFA devices.

What if my mobile device/hardware token is left at home, is lost, or runs out of battery?

If your hardware token is lost, stolen or broken, please contact IT Service Desk at its-help@sfu.ca for a replacement. Once the request has been approved, the token will be mailed out to the address provided in the request. Delivery may take up to two weeks, and may be longer for international addresses.

Please include the following information when submitting your hardware token request to the IT Service Desk:

  1. Subject line: "MFA Hardware Token Request - Faculty/Staff"
  2. Message body:
    • brief explanation on why you'd like to request a hardware token (e.g., requesting a replacement)
    • Your contact information (SFU computing ID, full name, phone number, and department)
    • Your mailing address to send the hardware token.
      • *Note. Due to the current COVID-19 measures, token requests are being processed remotely at this time. Delivery to campus addresses may actually be slower than to residential addresses.

Mobile Device

Do I need to have cellular service or data coverage to use the MFA Mobile Applications?

No; TOTP (Time-based One-time Password) MFA mobile applications do not require any cell service or data coverage to work, but you will need internet access when you first download the application onto your device.

*TOTP protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.

I already have an app that does MFA, can I use that?

Applications that support the TOTP protocol will work for MFA at SFU. If you already have a MFA application that you are using for other services, you may continue to use that application for MFA at SFU as well.

Note. SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.

*TOTP (Time-based One-time Password) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.

Will my personal information be collected through MFA and/or the MFA app?

No; SFU’s MFA service is built and hosted at SFU and does not collect personal information. In addition, the recommended mobile app, LastPass Authenticator, does not collect personal information.

How it works: When you scan the QR code with your mobile app as part of the initial MFA setup, the app is obtaining a secret key from SFU’s MFA servers from which your MFA login codes will be generated. From that point onward, there is no MFA-related communication made from your mobile app: Your mobile app only relies on your mobile device’s time and the secret key for the MFA login code generation every 30 seconds. This is also why the app does not require cellular service nor an internet connection to function.

Note. SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.

Can I use a tablet or other mobile device that is not a smartphone for MFA?

Any "smart device", such as iPad or Android tablet, can be used to run an MFA application.

Note. MFA applications do not require any cell service or data coverage to work, but you will need internet access when you first download the application onto your device.

Hardware Token

Is the hardware token free of charge?

At this time, the hardware token is free for all SFU faculty and staff.

SFU faculty and staff that need a hardware token can submit a request to the IT Service Desk (its-help@sfu.ca) by May 1, 2021. After May 1st, we cannot guarantee that the hardware token will arrive via mail in time.

Please include the following information when submitting your hardware token request to the IT Service Desk:

  1. Subject line: "MFA Hardware Token Request - Faculty/Staff"
  2. Message body:
    • A brief explanation on why you'd like to request a hardware token (e.g., don’t have access to a mobile device, requesting a replacement, etc.).
    • Your contact information (SFU computing ID, full name, phone number, and department).
    • Your mailing address to send the hardware token.
      • *Note. Due to the current COVID-19 measures, token requests are being processed remotely and mailed out to requestors. Delivery to campus addresses may actually be slower than to residential addresses.

Can the hardware token be mailed outside of Canada?

Yes, we can mail the hardware token outside of Canada.

Can I have someone else to pickup the hardware token on my behalf?

Due to the current COVID-19 measures, token requests are being processed remotely and token pickups are not available at this time. 

How long will the battery last on my token?

The battery life of hardware tokens are expected to last at least around 4 to 5 years.

 

Have questions? Please see our collection of Frequently Asked Questions or visit our MFA Toolkits.

For additional assistance, please contact your department’s IT staff, IT Service Desk or email us at mfa-info@sfu.ca.